The Ultimate Security Checklist for Cursor, Claude & Lovable Apps
Each AI coding tool leaves a slightly different security footprint. Here's the checklist broken down by platform, so you know exactly what to check for the tool you're actually using.
Cursor
Full-stack code generation means more surface area — auth middleware, database queries, payment integrations.
- Verify every hallucinated-looking npm package actually exists and matches the expected author
- Grep deployed JS bundles for
sk_live,sk-proj, or any server-only key - Test every
/adminand/api/admin/*route with no session — should 401/403, not redirect - Confirm SQL queries use parameterization, not string concatenation
Claude Code
Strong at following explicit instructions — which means security requirements left unstated are the ones most likely to be missing.
- If you didn't explicitly ask for rate limiting on an AI/LLM endpoint, assume it isn't there
- Check that
max_tokensis set on every API call — unbounded generations are a cost and abuse vector - Confirm user input isn't concatenated directly into system prompts (prompt injection)
- Review any auth middleware Claude generated line by line — it will follow the spec you gave it exactly, including any gap in that spec
Lovable
Ships fast on top of Supabase — which means Supabase misconfiguration is the dominant risk category.
- Enable Row Level Security on every table — Lovable does not do this by default
- Check for
USING (true)policies that unintentionally allow unrestricted reads - Confirm the Supabase service role key is never exposed to the client — only the anon key should appear in bundles
- Test the anon key directly against your REST API — can it read tables it shouldn't?
What's common to all three
- No HTTP security headers by default — CSP, HSTS, X-Frame-Options must be added manually
- Payment webhook handlers rarely verify signatures unless explicitly told to
- None of the three tools run an adversarial test on their own output — that requires a separate pass, see AI Pentesting
Run this checklist automatically, whichever tool you used.
Scan My App →